Assembler: Calculating a memory address with register base

Question

I have this simple assembler command:

mov eax, fs:[30h];

My problem is that I need to know what specific address is really read by this command. I found a lot of documentation about the assembler addressing modes but nothing about the register: notation.

Could somebody please explain me the math behind the address calculation?

Answer 1

FS is an index into a table of Segment Descriptors, which in turn contain a Base Address, which is added to the address. On win32, FS is used to access the Thread Information Block (or more accurately, the Segment Descriptor indexed by FS has a base address such that FS:[0] is the start of the TIB) and FS:[30h] is the location of a pointer to the Process Environment Block. On win64, GS is used to access the TIB.

Answer 2

To get the base address of the FS segment in Win32, you can use the GetThreadSelectorEntry function (x86 only).

If you're writing a debugger, you can use lpThreadLocalBase value from the CREATE_THREAD_DEBUG_INFO/CREATE_PROCESS_DEBUG_INFO structures which are sent to the debugger for every new thread or process. This points to the threads's TEB and works for both x86 and x64 processes (on x64, the GS register is used for TEB).

Answer 3

The best explanation ( and even with pictures ) is placed here:

http://flint.cs.yale.edu/cs422/doc/art-of-asm/pdf/

Chapter 4 is what You should read.